This change has also brought new technology needs. Since these businesses had built technology infrastructures that relied on traditional network and application architecture, a shift had to occur. Suddenly, IT departments were dealing with overloaded VPNs or having to deploy a VPN that they never had to maintain before. Compound that with the fact that users are now accessing company resources from networks or assets that corporate IT has no control over, that most home routers are still vulnerable to exploitation and that, in many cases, the network gates were flung open in the name of productivity ― it’s enough to give any CISO an ulcer.
So how can companies mitigate these risks? Now that everyone is settling into a routine and we’re adjusting to this “new normal,” it’s an ideal time to reach out to your users and talk about security. Your users are your best allies in the fight to keep your information secure. Make sure they know how important their role is and help educate them, but more importantly, give them the tools they need to be successful.
Security for Work from Home Users
For enterprises that were able to provide workers with laptops or other devices and were able to simply add capacity to their existing VPNs, consider yourselves lucky. You still have control over the endpoint device and you’re largely in the clear as long as you continue with patching, have your VPN properly configured and are leveraging technologies such as multifactor authentication (MFA), endpoint protection and maintain a good patching process.
Doing things such as disabling split tunneling are advisable but should be driven not by a desire to push everyone through your corporate internet connection, but by risk assessments or regulatory requirements.
Security for Small Organizations
I’m more concerned with the IT and security at smaller organizations. I’m referring to the teams that were scrambling to figure out how to integrate a VPN and remote workforce into their organization because they had never done it before, or the ones who just had a few mobile workers largely using remote access to check their email. The admins that suddenly had to allow employees to connect to the corporate network with their personal computers because they didn’t have the resources to give everyone a work from home computer. The ones that are lying awake at night in a cold sweat wondering when they’re going to find all their corporate information on Pastebin.
For you, now is the time to consider an IT transformation. If you haven’t already migrated to cloud and Software as a Service (SaaS) offerings, now is the time to consider it. Yes, I know the idea of handing over all your data to a third-party is a frightening concept, but this is where a third-party risk management program comes into play. Many providers make information about their independent security assessments available to their customers so that they can make informed decisions about the risk they may be exposed to.
These providers tend to also take care of the heavy lifting of providing end-to-end transport layer security (TLS) encryption so you can rest just a little bit easier when you know that your information is flowing though networks you can’t control. But we’re not quite out of the woods yet: It doesn’t matter if your cloud provider is the digital equivalent of Fort Knox if a threat actor can access your systems with a weak or reused password. Adding multifactor authentication and user education can reduce this risk.
The Security Value of VDI
If you’re not ready to make the move to the cloud and you need to let users access company resources from untrusted devices, consider a Virtual Desktop Infrastructure (VDI). A properly deployed and secured VDI can give users that don’t have company-owned or controlled computing assets the ability to access internal resources while reducing risks.
The next thing to address is the security of your users’ devices. Strong passwords and multifactor authentication are no match for a threat actor that has a persistent presence on your end-users’ personal devices. So, more user education comes into play. Also, providing your users with endpoint protection software and encouraging them to do things like turn on their operating system’s firewall and automatic update functions isn’t a bad idea.
While there is no silver bullet to protecting your organization or your employees from threats on the internet, taking a risk-informed approach can certainly help.